add securityContext to helm chart

Signed-off-by: Jan Jansen <jan.jansen@gdata.de>

deploy/helm/README.md

@@ -34,6 +34,7 @@ For upgrade please install CRDs separately:
 | dashboards.grafana_folder | string | `"clickhouse"` |  |
 | fullnameOverride | string | `""` | full name of the chart. |
 | imagePullSecrets | list | `[]` | image pull secret for private images |
+| metrics.containerSecurityContext | object | `{}` |  |
 | metrics.enabled | bool | `true` |  |
 | metrics.env | list | `[]` | additional environment variables for the deployment |
 | metrics.image.pullPolicy | string | `"IfNotPresent"` | image pull policy |
@@ -42,12 +43,14 @@ For upgrade please install CRDs separately:
 | metrics.resources | object | `{}` | custom resource configuration |
 | nameOverride | string | `""` | override name of the chart |
 | nodeSelector | object | `{}` | node for scheduler pod assignment |
+| operator.containerSecurityContext | object | `{}` |  |
 | operator.env | list | `[]` | additional environment variables for the deployment |
 | operator.image.pullPolicy | string | `"IfNotPresent"` | image pull policy |
 | operator.image.repository | string | `"altinity/clickhouse-operator"` | image repository |
 | operator.image.tag | string | `""` | image tag (chart's appVersion value will be used if not set) |
 | operator.resources | object | `{}` | custom resource configuration |
 | podAnnotations | object | `{"prometheus.io/port":"8888","prometheus.io/scrape":"true"}` | annotations to add to the pod |
+| podSecurityContext | object | `{}` |  |
 | secret.create | bool | `true` | create a secret with operator credentials |
 | secret.password | string | `"clickhouse_operator_password"` | operator credentials password |
 | secret.username | string | `"clickhouse_operator"` | operator credentials username |

deploy/helm/templates/generated/Deployment-clickhouse-operator.yaml

@@ -113,6 +113,7 @@ spec:
                   resource: limits.memory
             {{ with .Values.operator.env }}{{ toYaml . | nindent 12 }}{{ end }}
           resources: {{ toYaml .Values.operator.resources | nindent 12 }}
+          securityContext: {{ toYaml .Values.operator.containerSecurityContext | nindent 12 }}
 {{ if .Values.metrics.enabled }}
         - name: metrics-exporter
           image: {{ .Values.metrics.image.repository }}:{{ include "altinity-clickhouse-operator.metrics.tag" . }}
@@ -182,8 +183,10 @@ spec:
             - containerPort: 8888
               name: metrics
           resources: {{ toYaml .Values.metrics.resources | nindent 12 }}
+          securityContext: {{ toYaml .Values.metrics.containerSecurityContext | nindent 12 }}
 {{ end }}
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
       nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
       affinity: {{ toYaml .Values.affinity | nindent 8 }}
       tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+      securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}

deploy/helm/values.yaml

@@ -8,6 +8,7 @@ operator:
     # operator.image.pullPolicy -- image pull policy
 
     pullPolicy: IfNotPresent
+  containerSecurityContext: {}
   # operator.resources -- custom resource configuration
 
   resources: {}
@@ -39,6 +40,7 @@ metrics:
     # metrics.image.pullPolicy -- image pull policy
 
     pullPolicy: IfNotPresent
+  containerSecurityContext: {}
   # metrics.resources -- custom resource configuration
 
   resources: {}
@@ -99,6 +101,7 @@ tolerations: []
 # affinity -- affinity for scheduler pod assignment
 
 affinity: {}
+podSecurityContext: {}
 serviceMonitor:
   # serviceMonitor.enabled -- ServiceMonitor CRD is created for a prometheus operator
   enabled: false

dev/generate_helm_chart.sh

@@ -189,6 +189,7 @@ function update_deployment_resource() {
   yq e -i '.spec.template.spec.nodeSelector |= "{{ toYaml .Values.nodeSelector | nindent 8 }}"' "${file}"
   yq e -i '.spec.template.spec.affinity |= "{{ toYaml .Values.affinity | nindent 8 }}"' "${file}"
   yq e -i '.spec.template.spec.tolerations |= "{{ toYaml .Values.tolerations | nindent 8 }}"' "${file}"
+  yq e -i '.spec.template.spec.securityContext |= "{{ toYaml .Values.podSecurityContext | nindent 8 }}"' "${file}"
 
   for cm in $(yq e '.spec.template.spec.volumes[].configMap.name' "${file}"); do
     local prefix='{{ include \"altinity-clickhouse-operator.fullname\" . }}'
@@ -202,12 +203,14 @@ function update_deployment_resource() {
   yq e -i '.spec.template.spec.containers[0].image |= "{{ .Values.operator.image.repository }}:{{ include \"altinity-clickhouse-operator.operator.tag\" . }}"' "${file}"
   yq e -i '.spec.template.spec.containers[0].imagePullPolicy |= "{{ .Values.operator.image.pullPolicy }}"' "${file}"
   yq e -i '.spec.template.spec.containers[0].resources |= "{{ toYaml .Values.operator.resources | nindent 12 }}"' "${file}"
+  yq e -i '.spec.template.spec.containers[0].securityContext |= "{{ toYaml .Values.operator.containerSecurityContext | nindent 12 }}"' "${file}"
   yq e -i '(.spec.template.spec.containers[0].env[] | select(.valueFrom.resourceFieldRef.containerName == "clickhouse-operator") | .valueFrom.resourceFieldRef.containerName) = "{{ .Chart.Name }}"' "${file}"
   yq e -i '.spec.template.spec.containers[0].env += ["{{ with .Values.operator.env }}{{ toYaml . | nindent 12 }}{{ end }}"]' "${file}"
 
   yq e -i '.spec.template.spec.containers[1].image |= "{{ .Values.metrics.image.repository }}:{{ include \"altinity-clickhouse-operator.metrics.tag\" . }}"' "${file}"
   yq e -i '.spec.template.spec.containers[1].imagePullPolicy |= "{{ .Values.metrics.image.pullPolicy }}"' "${file}"
   yq e -i '.spec.template.spec.containers[1].resources |= "{{ toYaml .Values.metrics.resources | nindent 12 }}"' "${file}"
+  yq e -i '.spec.template.spec.containers[1].securityContext |= "{{ toYaml .Values.metrics.containerSecurityContext | nindent 12 }}"' "${file}"
   yq e -i '(.spec.template.spec.containers[1].env[] | select(.valueFrom.resourceFieldRef.containerName == "clickhouse-operator") | .valueFrom.resourceFieldRef.containerName) = "{{ .Chart.Name }}"' "${file}"
   yq e -i '.spec.template.spec.containers[1].env += ["{{ with .Values.metrics.env }}{{ toYaml . | nindent 12 }}{{ end }}"]' "${file}"